Pentagon to boost cybersecurity force

By Ellen Nakashima

The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries, according to U.S. officials.

The move, requested by the head of the Defense Department’s Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians.

Details of the plan have not been finalized, but the decision to expand the Cyber Command was made by senior Pentagon officials late last year in recognition of a growing threat in cyberspace, said officials, who spoke on the condition of anonymity because the expansion has not been formally announced. The gravity of that threat, they said, has been highlighted by a string of sabotage attacks, including one in which a virus was used to wipe dat a from more than 30,000 computers at a Saudi Arabian state oil company last summer.

The plan calls for the creation of three types of forces under the Cyber Command: “national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; “combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and “cyber protection forces” to fortify the Defense Department’s networks.

Targeting ‘malicious actors’

Although the command was established three years ago for some of these purposes, it has largely been consumed by the need to develop policy and legal frameworks and ensure that the military networks are defended. Current and former defense officials said the plan will allow the command to better fulfill its mission.

“Given the malicious actors that are out there and the development of the technology, in my mind, there’s little doubt that some adversary is going to attempt a significant cyberattack on the United States at some point,” said William J. Lynn III, a former deputy defense secretary who helped fashion the Pentagon’s cybersecurity strategy. “The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or . . . read about the steps we should have taken in some post-attack commission report.”

Although generally agreed to by the military’s service chiefs, the plan has raised concerns about how the Army, Navy, Marines and Air Force will find so many qualified cybersecurity personnel and train them. It also raises deeper issues — which are likely to intensify as the Cyber Command grows over the years — about how closely the command should be aligned with the National Security Agency, the giant electronic-spying agency that provides much of its intelligence support.

The head of the Cyber Command, Gen. Keith B. Alexander, is also the director of the NSA, which employs some of the nation’s most advanced cyber-operations specialists.

The new force structure was alluded to last fall in a major speech by Defense Secretary Leon E. Panetta, who said, “Our mission is to defend the nation,” and noted that the department was “putting in place the policies and organizations we need to execute the mission.”

In an interview, a senior defense official said that the “national mission” teams would focus their efforts overseas and that any actions they took would be directed outside U.S. networks — unless the teams were asked to provide assistance to another agency with domestic authority, such as the FBI.

“There’s no intent to have the military crawl inside industry or private networks and provide that type of security,” the official said.

He stressed that the military would act only in cases in which there was a threat of an attack that could “really hurt,” adding: “We’re not talking about doing something to make sure that Mrs. Smith’s bank account didn’t get hijacked by somebody.”

The plan to expand the Cyber Command comes at a time when the military’s services are being ordered to cut spending, a reflection of how important senior military officials consider the need to improve the nation’s cybersecurity footing. Some military officials have grudgingly accepted the need to contribute personnel to an expanded cybersecurity force. There are also differences over how much control the combatant commands will have over cyber teams.

The “combat mission” teams may help commanders in operations such as a cyber component to disable an enemy’s command-and-control system before a conventional attack. Each region will have teams that focus on particular threats — say, from China or Iran.

“You get the resource guys sucking a lot of air through their teeth because they know their service chiefs have backed it,” one Navy official said. “So they have to find the resources to pay for the people.”

Alignment with NSA

Some military and defense officials question whether the Cyber Command can reach its full potential as a military command as long as it is so dependent on the NSA and is led by the NSA’s director. The close relationship between the two has had its advantages, officials say: The agency can peer into foreign networks and provide the command with intelligence, including in cases in which an adversary is suspected of planning a computer attack or developing a potent virus.

“That gives you an advantage of being able to plan for and be prepared to react,” the defense official said.

But the NSA is so intertwined with the Cyber Command — the two operations centers are located side by side, and, until recently, some Cyber Command personnel had nsa.gov e-mail addresses — that some current and former officials wonder whether the military command can create an independent, strategic doctrine. The concern is that the intelligence agency’s priorities will dominate, with an emphasis on the development of tools that are useful for surveillance but not necessarily for disrupting adversaries.

There’s a “cogent argument” to be made that for the Cyber Command to become a true military command, “you sever that” relationship, one military official said.

But, in fact, said one former intelligence official, the NSA uses military personnel to do much of its work and pays for a good portion of the services’ cyber operators. “That’s been the plan all along,” the former official said. “Take the talent resident in NSA, turn it into [cyber] attack talent.”

With the decision to expand the Cyber Command, Alexander, who has been asked to stay on until summer 2014, is seeing some of his vision fulfilled. He has sought independent budget authority for the Cyber Command to hire and control forces, similar to the way Special Operations Command can. He has not won that authority, though officials agreed to give him the additional forces. He also has the support of senior Pentagon officials to elevate the Cyber Command to full command status, out from under the aegis of Strategic Command. But that move, which requires consulting with Congress, is not happening just yet, officials say.